home

PcStatus.exe

PcStatus

PcStatus.NET

The executable PcStatus.exe has been detected as malware by 5 anti-virus scanners. It runs as a windows Service named “PcStatus Service”. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘PcStatus’. While running, it connects to the Internet address pcstatus.net on port 80 using the HTTP protocol.
Publisher:
PcStatus.NET

Product:
PcStatus

Version:
1.00.0049

MD5:
161024faca44d3461e8e636f7a1f0c71

SHA-1:
c8e3353c9f1e438b18ab43c355c2818d3eb2d346

SHA-256:
e38b40f27d6c89bc37b27d0f7c7abe3e71b1d590d41b6c184dc2f28537129c4c

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
4/24/2024 5:26:45 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Graftor.2974.41
7.11.140.76

Comodo Security
UnclassifiedMalware
18018

IKARUS anti.virus
Trojan.Graftor
t3scan.2.2.29

McAfee
Artemis!161024FACA44
5600.7027

Qihoo 360 Security
Win32/Trojan.1fa
1.0.0.1015

File size:
18.5 KB (18,944 bytes)

Product version:
1.00.0049

Copyright:
(c) PcStatus.NET, 2011

Original file name:
PcStatus.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\pcstatus\pcstatus.exe

File PE Metadata
Compilation timestamp:
6/1/2011 5:52:27 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
384:lMT+MNcxlzF0Ga3hjtbnQmsx4qLlx1q+34/XPzSV2Oa/KuQa:+2lz03hRbnQTzq9zVOfR

Entry address:
0xE6D0

Entry point:
60, BE, 00, B0, 40, 00, 8D, BE, 00, 60, FF, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75...
 
[+]

Packer / compiler:
UPX 2.90LZMA

Code size:
16 KB (16,384 bytes)

124 Scheduled Tasks
Task name:
PcStatus.013.location

Trigger:
Logon (Runs on logon)

Action:
pcstatus.exe --userspace --interactive=3 --taskname=pcstatus.01

Task name:
PcStatus.013.helene

Trigger:
Logon (Runs on logon)

Action:
pcstatus.exe --userspace --interactive=3 --taskname=pcstatus.01

Task name:
PcStatus.013.richard

Trigger:
Logon (Runs on logon)

Action:
pcstatus.exe --userspace --interactive=3 --taskname=pcstatus.01

Task name:
PcStatus.013.ordinatec

Trigger:
Logon (Runs on logon)

Action:
pcstatus.exe --userspace --interactive=3 --taskname=pcstatus.01

Task name:
PcStatus.013.claude

Trigger:
Logon (Runs on logon)

Action:
pcstatus.exe --userspace --interactive=3 --taskname=pcstatus.01

Task name:
PcStatus.013.mon_1pc

Trigger:
Logon (Runs on logon)

Action:
pcstatus.exe --userspace --interactive=3 --taskname=pcstatus.01


Service
Display name:
PcStatus Service

Service name:
PcStatus

Type:
Win32OwnProcess, InteractiveProcess


Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
PcStatus

Command:
"C:\Program Files\pcstatus\pcstatus.exe" --userspace --interactive=3


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to pcstatus.net  (66.254.41.66:80)

TCP (HTTP):
Connects to spybot-update.co.uk  (87.106.2.233:80)

TCP (HTTP):
Connects to s15312661.rootmaster.info  (213.165.90.132:80)

TCP:
Connects to 216-191-31-2.dedicated.allstream.net  (216.191.31.2:44444)

Remove PcStatus.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.